List of dependencies to upgrade

[IamLizu]

As part of the plan of publishing 5.0, we need to upgrade the dependencies. The idea is to create better visibility on these deps. Please note that the list has been compared against 5.0 package.json.

Dependencies that are not directly owned by expressjs / PillarsJS / jshttp.

List

• [x] array-flatten (removed at https://github.com/expressjs/express/pull/5677)
• [x] cookie-signature - used 1.0.6 - current 1.2.1 (maybe fixed by https://github.com/expressjs/express/pull/5833)
• [x] debug - used 3.1.0 - current 4.3.6 (fixed by https://github.com/expressjs/express/pull/5829)
• [x] depd
• [x] encodeurl
• [x] escape-html
• [x] etag
• [x] fresh
• [x] merge-descriptors - used 1.0.1 - current 2.0.0 (fixed by https://github.com/expressjs/express/pull/5782)
• [x] methods
• [x] path-is-absolute (deprecated, removed by https://github.com/expressjs/express/pull/5830)
• [x] qs - used 6.11.0 - current 6.13.0 (fixed by https://github.com/expressjs/express/pull/5847)
• [x] safe-buffer
• [x] setprototypeof
• [x] utils-merge

Reference

• 233

[carpasse]

I reviewed all the dependencies, and below is the list of external dependencies that need to be updated:

Dependency	Current Version	Updated Version	Status/Notes	License
cookie-signature	1.0.6	1.2.1	Update available	MIT
debug	3.1.0	4.3.6	Update available	MIT
depd	2.0.0	-	Already latest (6 years without update)	MIT
escape-html	~1.0.3	-	Already latest (9 years without update)	MIT
merge-descriptors	1.0.1	2.0.0	Update available	MIT
once	1.4.0	-	Already latest (8 years without update)	ISC
path-is-absolute	1.0.1	-	Deprecated/unmaintained	N/A
qs	6.11.0	6.13.0	Update available	BSD-3-Clause
safe-buffer	5.2.1	-	Already latest (5 years without update)	MIT
setprototypeof	1.2.0	-	Already latest (5 years without update)	ISC
utils-merge	1.0.1	-	Already latest (7 years without update)	MIT

[IamLizu]

@carpasse I think my initial comment is unclear, by checked items, I meant those do not need intervention. Only the unchecked items need to be taken care of.

In any case, thank you for putting in the effort.

And it appears you and I agree on the list. Perhaps we can now just check the ones that are upgraded, once their respective PR is merged?

[wesleytodd]

Hey! I was working through these as well (until work and life and security stuff all started happening at once) and I was attempting to track progress in #233. Would it be a good thing to add these last items to that todo list instead of in a separate issue?

[IamLizu]

Hey @wesleytodd 👋

Yes, perhaps it would be better to keep the track there.

I am unable to edit the last push issue though.

[wesleytodd]

Could you just comment them in there for now?

[IamLizu]

Alright, since its referenced in the global issue now, I think we just check the relevant dependency once its upgraded. I can keep track of that.

And I would like to work on upgrading cookie-signature.

cc: @UlisesGascon @carpasse

[wesleytodd]

For that lib, you should check out this issue: https://github.com/tj/node-cookie-signature/issues/36#issuecomment-2253673707

[carpasse]

@IamLizu I am sorry I missed the message and started working in cookie signature when I connected this morning. I've closed the PR please ignore it.

I would like to work on upgrading debug dependency from 3.1.0 to 4.3.6

cc @wesleytodd @UlisesGascon @IamLizu

[carpasse]

@wesleytodd @UlisesGascon Express 5.0 is still using path-is-absolute dependency which is deprecated. I would like to remove it since it will no longer be necessary for 5.0

[carpasse]

@wesleytodd @UlisesGascon @IamLizu I would like to work on updating qs dep from 6.11.0 to 6.13.0

[IamLizu]

Hey @carpasse 👋

Alright, and for visibility, I am updating the main comment tagging your PRs.

[carpasse]

Question, what branch should we base the PRs to update the dependencies on? branch 5.0 or branch 5-merge

[wesleytodd]

Express 5.0 is still using path-is-absolute dependency which is deprecated. I would like to remove it since it will no longer be necessary for 5.0

Sounds like a good thing to remove. 👍

I would like to work on updating qs dep from 6.11.0 to 6.13.0

I think this has already been done somewhere. Let me look, but IIRC that release was an ask of ours. I will ping in slack about it.

Question, what branch should we base the PRs to update the dependencies on? branch 5.0 or branch 5-merge

5.0 is the correct branch. That one is Chris working on merging in some changes from master which did not merge cleanly.

[IamLizu]

Hi @wesleytodd 👋

I think this has already been done somewhere. Let me look, but IIRC that release was an ask of ours. I will ping in slack about it.

I tried to search in the PRs but couldn't find qs being upgraded in anyone. I think I must have missed something.

[carpasse]

@wesleytodd I had a chat with @UlisesGascon and the qs dep was updated on body-parser but not on express therefore I've created the PR.

[IamLizu]

Awesome!

Now that we have a PR against each of the pending deps, can we fast track these PRs and get them to land?

cc: @wesleytodd @UlisesGascon

[wesleytodd]

Everything above is checked off. I still have a few in #233 with remaining changes to land, but does this mean we are able to close this one?

[IamLizu]

Yes, we can close this 🎉

I believe this issue has served its purpose on tracking the upgrades of dependencies of express which are not owned by express. I hope it also makes the last point of "Pending things (Express):" in #233 checkable as well.

Thank you to everyone involved in upgrading these deps.

[bjohansebas]

hey @IamLizu encodeurl is outdated. The latest version is 2.0.0, while the one in the package is 1.0.2. It would be good to update it."

[IamLizu]

@bjohansebas encodeurl is owned by PillarJS. We were only focusing on the ones that not owned by Expressjs / PillarJS / JSHttp. Since it was already mentioned in the first comment, I didn't mention it explicitly in my last comment.

I hope its clear now 🎉